Terminal Access Controller Access-Control System Plus over TLS 1.3
RFC 9887, “Terminal Access Controller Access-Control System Plus over TLS 1.3”, is a Proposed Standard document published in December 2025 by T. Dahm, J. Heasley, D.C. Medway Gash, A. Ota. It updates RFC 8907. The canonical text is published by the RFC Editor.
Abstract
This document specifies the use of Transport Layer Security (TLS) version 1.3 to secure the communication channel between a Terminal Access Controller Access-Control System Plus (TACACS+) client and server. TACACS+ is a protocol used for Authentication, Authorization, and Accounting (AAA) in networked environments. The original TACACS+ protocol does not mandate the use of encryption or secure transport. This specification defines a profile for using TLS 1.3 with TACACS+, including guidance on authentication, connection establishment, and operational considerations. The goal is to enhance the confidentiality, integrity, and authenticity of TACACS+ traffic, aligning the protocol with modern security best practices.
This document updates RFC 8907.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 9887 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9886 DRIP Entity Tags in the Domain Name System
- RFC 9885 Multi-Part TLVs in IS-IS
- RFC 9889 A Realization of Network Slices for 5G Networks Using Current IP/MPLS Technologies
- RFC 9884 Label Switched Path Ping for Segment Routing Path Segment Identifier with MPLS Data Plane
- RFC 9890 An Update to YANG Module Names Registration
- RFC 9883 An Attribute for Statement of Possession of a Private Key
- RFC 9891 Automated Certificate Management Environment Delay-Tolerant Networking Node ID Validation Extension
- RFC 9882 Use of the ML-DSA Signature Algorithm in the Cryptographic Message Syntax